Annotation of src/share/man/man7/sysctl.7, Revision 1.53
1.53 ! jruoho 1: .\" $NetBSD: sysctl.7,v 1.52 2010/12/11 19:55:53 jruoho Exp $
1.1 pavel 2: .\"
3: .\" Copyright (c) 1993
4: .\" The Regents of the University of California. All rights reserved.
5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\" 3. Neither the name of the University nor the names of its contributors
15: .\" may be used to endorse or promote products derived from this software
16: .\" without specific prior written permission.
17: .\"
18: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28: .\" SUCH DAMAGE.
29: .\"
30: .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
31: .\"
1.53 ! jruoho 32: .Dd December 14, 2010
1.1 pavel 33: .Dt SYSCTL 7
34: .Os
35: .Sh NAME
36: .Nm sysctl
37: .Nd system information variables
38: .Sh DESCRIPTION
39: The
40: .Xr sysctl 3
41: library function and the
42: .Xr sysctl 8
43: utility are used to get and set values of system variables, maintained
44: by the kernel.
45: The variables are organized in a tree and identified by a sequence of
46: numbers, conventionally separated by dots with the topmost identifier
47: at the left side.
48: The numbers have corresponding text names.
49: The
50: .Xr sysctlnametomib 3
51: function or the
52: .Fl M
53: argument to the
54: .Xr sysctl 8
55: utility can be used to convert the text representation to the
56: numeric one.
57: .Pp
58: The individual sysctl variables are described below, both the textual
59: and numeric form where applicable.
60: The textual names can be used as argument to the
61: .Xr sysctl 8
62: utility and in the file
63: .Pa /etc/sysctl.conf .
64: The numeric names are usually defined as preprocessor constants and
65: are intended for use by programs.
66: Every such constant expands to one integer, which identifies the
67: sysctl variable relative to the upper level of the tree.
68: See the
69: .Xr sysctl 3
70: manual page for programming examples.
1.50 jruoho 71: .Ss Top level names
1.1 pavel 72: The top level names are defined with a CTL_ prefix in
1.33 joerg 73: .In sys/sysctl.h ,
1.1 pavel 74: and are as follows.
75: The next and subsequent levels down are found in the include files
76: listed here, and described in separate sections below.
1.21 joerg 77: .Bl -column security CTL_SECURITY "Next level names" "High kernel limits"
1.1 pavel 78: .It Sy Name Constant Next level names Description
1.21 joerg 79: .It kern CTL_KERN sys/sysctl.h High kernel limits
80: .It vm CTL_VM uvm/uvm_param.h Virtual memory
81: .It vfs CTL_VFS sys/mount.h Filesystem
82: .It net CTL_NET sys/socket.h Networking
83: .It debug CTL_DEBUG sys/sysctl.h Debugging
84: .It hw CTL_HW sys/sysctl.h Generic CPU, I/O
85: .It machdep CTL_MACHDEP sys/sysctl.h Machine dependent
86: .It user CTL_USER sys/sysctl.h User-level
87: .It ddb CTL_DDB sys/sysctl.h In-kernel debugger
88: .It proc CTL_PROC sys/sysctl.h Per-process
89: .It vendor CTL_VENDOR ? Vendor specific
90: .It emul CTL_EMUL sys/sysctl.h Emulation settings
91: .It security CTL_SECURITY sys/sysctl.h Security settings
1.1 pavel 92: .El
1.50 jruoho 93: .Ss The debug.* subtree
1.1 pavel 94: The debugging variables vary from system to system.
95: A debugging variable may be added or deleted without need to recompile
96: .Nm
97: to know about it.
98: Each time it runs,
99: .Nm
100: gets the list of debugging variables from the kernel and
101: displays their current values.
102: The system defines twenty
103: .Va ( struct ctldebug )
104: variables named
105: .Dv debug0
106: through
107: .Dv debug19 .
108: They are declared as separate variables so that they can be
109: individually initialized at the location of their associated variable.
110: The loader prevents multiple use of the same variable by issuing errors
111: if a variable is initialized in more than one place.
112: For example, to export the variable
113: .Dv dospecialcheck
114: as a debugging variable, the following declaration would be used:
1.43 jruoho 115: .Pp
1.1 pavel 116: .Bd -literal -offset indent -compact
117: int dospecialcheck = 1;
118: struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck };
119: .Ed
120: .Pp
121: Note that the dynamic implementation of
122: .Nm
123: currently in use largely makes this particular
124: .Nm
125: interface obsolete.
126: See
127: .Xr sysctl 8
128: .\" and
129: .\" .Xr sysctl 9
130: for more information.
1.50 jruoho 131: .Ss The vfs.* subtree
1.1 pavel 132: A distinguished second level name,
133: .Li vfs.generic ( VFS_GENERIC ) ,
134: is used to get general information about all filesystems.
1.26 elad 135: It has the following third level identifiers:
136: .Bl -tag -width compact
137: .It vfs.generic.maxtypenum ( VFS_MAXTYPENUM )
138: The highest valid filesystem type number.
139: .It vfs.generic.conf ( VFS_CONF )
140: Returns configuration information about the file-system type given as a fourth
141: level identifier.
142: .El
143: .Pp
144: The remaining second level identifiers are the file-system names, identified
145: by the type number returned by a
1.1 pavel 146: .Xr statvfs 2
147: call or from
1.27 wiz 148: .Li vfs.generic.conf .
1.1 pavel 149: The third level identifiers available for each filesystem
150: are given in the header file that defines the mount
151: argument structure for that filesystem.
1.50 jruoho 152: .Ss The hw.* subtree
1.1 pavel 153: The string and integer information available for the
154: .Li hw
155: level is detailed below.
156: The changeable column shows whether a process with appropriate
157: privilege may change the value.
1.37 jruoho 158: .Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent
1.1 pavel 159: .It Sy Second level name Type Changeable
160: .It hw.alignbytes integer no
161: .It hw.byteorder integer no
162: .It hw.cnmagic string yes
163: .It hw.disknames string no
164: .It hw.diskstats struct no
165: .It hw.machine string no
166: .It hw.machine_arch string no
167: .It hw.model string no
168: .It hw.ncpu integer no
169: .It hw.pagesize integer no
170: .It hw.physmem integer no
171: .It hw.physmem64 quad no
172: .It hw.usermem integer no
173: .It hw.usermem64 quad no
174: .El
175: .Pp
176: .Bl -tag -width "123456"
177: .It Li hw.alignbytes ( HW_ALIGNBYTES )
178: Alignment constraint for all possible data types.
179: This shows the value
180: .Dv ALIGNBYTES
181: in
182: .Pa /usr/include/machine/param.h ,
183: at the kernel compilation time.
184: .It Li hw.byteorder ( HW_BYTEORDER )
185: The byteorder (4,321, or 1,234).
186: .It Li hw.cnmagic ( HW_CNMAGIC )
187: The console magic key sequence.
188: .It Li hw.disknames ( HW_DISKNAMES )
189: The list of (space separated) disk device names on the system.
190: .It Li hw.iostatnames ( HW_IOSTATNAMES )
191: A space separated list of devices that will have I/O statistics
192: collected on them.
193: .It Li hw.iostats ( HW_IOSTATS )
194: Return statistical information on the NFS mounts, disk and tape
195: devices on the system.
196: An array of
197: .Va struct io_sysctl
198: structures is returned,
199: whose size depends on the current number of such objects in the system.
200: The third level name is the size of the
201: .Va struct io_sysctl .
202: The type of object can be determined by examining the
203: .Va type
204: element of
205: .Va struct io_sysctl .
206: Which can be
207: .Dv IOSTAT_DISK
208: (disk drive),
209: .Dv IOSTAT_TAPE
210: (tape drive), or
211: .Dv IOSTAT_NFS
212: (NFS mount).
213: .It Li hw.machine ( HW_MACHINE )
214: The machine class.
215: .It Li hw.machine_arch ( HW_MACHINE_ARCH )
216: The machine CPU class.
217: .It Li hw.model ( HW_MODEL )
218: The machine model.
219: .It Li hw.ncpu ( HW_NCPU )
220: The number of CPUs.
221: .It Li hw.pagesize ( HW_PAGESIZE )
222: The software page size.
223: .It Li hw.physmem ( HW_PHYSMEM )
224: The bytes of physical memory as a 32-bit integer.
225: .It Li hw.physmem64 ( HW_PHYSMEM64 )
226: The bytes of physical memory as a 64-bit integer.
227: .It Li hw.usermem ( HW_USERMEM )
228: The bytes of non-kernel memory as a 32-bit integer.
229: .It Li hw.usermem64 ( HW_USERMEM64 )
230: The bytes of non-kernel memory as a 64-bit integer.
231: .El
1.50 jruoho 232: .Ss The kern.* subtree
1.43 jruoho 233: This subtree includes data generally related to the kernel.
1.1 pavel 234: The string and integer information available for the
235: .Li kern
236: level is detailed below.
237: The changeable column shows whether a process with appropriate
238: privilege may change the value.
1.43 jruoho 239: .Bl -column "kern.posix_reader_writer_locks" \
240: "struct kinfo_drivers" "not applicable"
1.1 pavel 241: .It Sy Second level name Type Changeable
1.51 jruoho 242: .It kern.aio_listio_max integer yes
243: .It kern.aio_max integer yes
1.44 jruoho 244: .It kern.arandom integer no
1.1 pavel 245: .It kern.argmax integer no
1.39 jruoho 246: .It kern.boothowto integer no
1.1 pavel 247: .It kern.boottime struct timeval no
1.39 jruoho 248: .\".It kern.bufq node not applicable
1.1 pavel 249: .It kern.ccpu integer no
250: .It kern.clockrate struct clockinfo no
251: .It kern.consdev integer no
1.39 jruoho 252: .It kern.coredump node not applicable
1.21 joerg 253: .It kern.cp_id struct no
254: .It kern.cp_time uint64_t[\|] no
1.46 jruoho 255: .It kern.cryptodevallowsoft integer yes
1.1 pavel 256: .It kern.defcorename string yes
1.38 jruoho 257: .It kern.detachall integer yes
1.1 pavel 258: .It kern.domainname string yes
259: .It kern.drivers struct kinfo_drivers no
1.39 jruoho 260: .It kern.dump_on_panic integer yes
1.1 pavel 261: .It kern.file struct file no
262: .It kern.forkfsleep integer yes
263: .It kern.fscale integer no
264: .It kern.fsync integer no
1.21 joerg 265: .It kern.hardclock_ticks integer no
1.1 pavel 266: .It kern.hostid integer yes
267: .It kern.hostname string yes
1.21 joerg 268: .It kern.iov_max integer no
1.39 jruoho 269: .It kern.ipc node not applicable
1.21 joerg 270: .It kern.job_control integer no
1.1 pavel 271: .It kern.labeloffset integer no
272: .It kern.labelsector integer no
1.21 joerg 273: .It kern.login_name_max integer no
1.1 pavel 274: .It kern.logsigexit integer yes
1.21 joerg 275: .It kern.mapped_files integer no
1.1 pavel 276: .It kern.maxfiles integer yes
277: .It kern.maxpartitions integer no
278: .It kern.maxphys integer no
279: .It kern.maxproc integer yes
280: .It kern.maxptys integer yes
281: .It kern.maxvnodes integer yes
282: .It kern.mbuf node not applicable
283: .It kern.memlock integer no
1.21 joerg 284: .It kern.memlock_range integer no
285: .It kern.memory_protection integer no
1.42 jruoho 286: .It kern.module node not applicable
1.21 joerg 287: .It kern.monotonic_clock integer no
1.49 jruoho 288: .It kern.mqueue node not applicable
1.1 pavel 289: .It kern.msgbuf integer no
290: .It kern.msgbufsize integer no
291: .It kern.ngroups integer no
1.41 jruoho 292: .\".It kern.no_sa_support integer yes
1.1 pavel 293: .It kern.ntptime struct ntptimeval no
294: .It kern.osrelease string no
1.39 jruoho 295: .It kern.osrevision integer no
1.1 pavel 296: .It kern.ostype string no
1.41 jruoho 297: .\".It kern.panic_now integer yes
1.1 pavel 298: .It kern.pipe node not applicable
1.39 jruoho 299: .\" .It kern.posix node not applicable
300: .It kern.posix1version integer no
1.51 jruoho 301: .It kern.posix_aio integer no
1.21 joerg 302: .It kern.posix_barriers integer no
303: .It kern.posix_reader_writer_locks integer no
1.39 jruoho 304: .\".It kern.posix_sched integer yes
1.21 joerg 305: .It kern.posix_semaphores integer no
306: .It kern.posix_spin_locks integer no
307: .It kern.posix_threads integer no
308: .It kern.posix_timers integer no
1.1 pavel 309: .It kern.proc struct kinfo_proc no
310: .It kern.proc2 struct kinfo_proc2 no
1.21 joerg 311: .It kern.proc_args string no
1.39 jruoho 312: .It kern.profiling node not applicable
1.41 jruoho 313: .\".It kern.pset node not applicable
1.1 pavel 314: .It kern.rawpartition integer no
1.21 joerg 315: .It kern.root_device string no
316: .It kern.root_partition integer no
317: .It kern.rtc_offset integer yes
318: .It kern.saved_ids integer no
1.39 jruoho 319: .It kern.sbmax integer yes
1.41 jruoho 320: .\".It kern.sched node not applicable
1.1 pavel 321: .It kern.securelevel integer raise only
1.39 jruoho 322: .It kern.somaxkva integer yes
1.21 joerg 323: .It kern.synchronized_io integer no
1.19 christos 324: .It kern.timecounter node not applicable
1.1 pavel 325: .It kern.timex struct no
326: .It kern.tkstat node not applicable
327: .It kern.urandom integer no
1.45 jruoho 328: .It kern.usercrypto integer yes
329: .It kern.userasymcrypto integer yes
1.39 jruoho 330: .It kern.veriexec node not applicable
1.1 pavel 331: .It kern.version string no
332: .It kern.vnode struct vnode no
333: .El
334: .Bl -tag -width "123456"
1.51 jruoho 335: .It Li kern.aio_listio_max
336: The maximum number of asynchronous
337: .Tn I/O
338: operations in a single list I/O call.
339: Like with all variables related to
340: .Xr aio 3 ,
341: the variable may be created and removed dynamically
342: upon loading or unloading the corresponding kernel module.
343: .It Li kern.aio_max
344: The maximum number of asynchronous I/O operations.
1.44 jruoho 345: .It Li kern.arandom
346: This variable picks a random number each time it is queried.
347: The used random number generator
348: .Pq Tn RNG
349: is based on
350: .Xr arc4random 3 .
1.1 pavel 351: .It Li kern.argmax ( KERN_ARGMAX )
352: The maximum bytes of argument to
353: .Xr execve 2 .
1.23 apb 354: .It Li kern.boothowto
355: Flags passed from the boot loader; see
356: .Xr reboot 2
357: for the meanings of the flags.
1.1 pavel 358: .It Li kern.boottime ( KERN_BOOTTIME )
359: A
360: .Va struct timeval
361: structure is returned.
362: This structure contains the time that the system was booted.
1.41 jruoho 363: .\" .It Li kern.bufq
364: .\" XXX: Undocumented.
1.1 pavel 365: .It Li kern.ccpu ( KERN_CCPU )
366: The scheduler exponential decay value.
367: .It Li kern.clockrate ( KERN_CLOCKRATE )
368: A
369: .Va struct clockinfo
370: structure is returned.
371: This structure contains the clock, statistics clock and profiling clock
372: frequencies, the number of micro-seconds per hz tick, and the clock
373: skew rate.
1.36 jruoho 374: Refer to
375: .Xr hz 9
376: for additional details.
1.1 pavel 377: .It Li kern.consdev ( KERN_CONSDEV )
378: Console device.
1.39 jruoho 379: .It Li kern.coredump
380: Settings related to set-id processes coredumps.
381: By default, set-id processes do not dump core in situations where
382: other processes would.
383: The settings in this node allows an administrator to change this
384: behavior.
385: .Pp
386: The third level name is
387: .Dv kern.coredump.setid
1.40 jruoho 388: and fourth level variables are described below.
389: .Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent
390: .It Sy Fourth level name Type Changeable
391: .It kern.coredump.setid.dump integer yes
392: .It kern.coredump.setid.group integer yes
393: .It kern.coredump.setid.mode integer yes
394: .It kern.coredump.setid.owner integer yes
395: .It kern.coredump.setid.path string yes
396: .El
1.39 jruoho 397: .Bl -tag -width "123456"
398: .It Li kern.coredump.setid.dump
399: If non-zero, set-id processes will dump core.
400: .It Li kern.coredump.setid.group
401: The group-id for the set-id processes' coredump.
402: .It Li kern.coredump.setid.mode
403: The mode for the set-id processes' coredump.
404: See
405: .Xr chmod 1 .
406: .It Li kern.coredump.setid.owner
407: The user-id that will be used as the owner of the set-id processes'
408: coredump.
409: .It Li kern.coredump.setid.path
410: The path to which set-id processes' coredumps will be saved to.
411: Same syntax as kern.defcorename.
412: .El
1.1 pavel 413: .It Li kern.cp_id ( KERN_CP_ID )
414: Mapping of CPU number to CPU id.
415: .It Li kern.cp_time ( KERN_CP_TIME )
416: Returns an array of CPUSTATES uint64_ts.
417: This array contains the
418: number of clock ticks spent in different CPU states.
419: On multi-processor systems, the sum across all CPUs is returned unless
420: appropriate space is given for one data set for each CPU.
421: Data for a specific CPU can also be obtained by adding the number of the
422: CPU at the end of the MIB, enlarging it by one.
1.46 jruoho 423: .It Li kern.cryptodevallowsoft
424: This variable controls userland access to hardware versus software transforms
425: in the
426: .Xr crypto 4
427: system.
428: The available values are as follows:
1.47 wiz 429: .Bl -tag -width XX0 -offset indent
430: .It Dv \*[Lt] 0
1.46 jruoho 431: Always force userlevel requests to use software transforms.
432: .It Dv = 0
433: If present, use hardware and grant userlevel requests for
434: non-accelerated transforms (handling the latter in software).
1.47 wiz 435: .It Dv \*[Gt] 0
1.46 jruoho 436: Allow user requests only for transforms which are hardware-accelerated.
437: .El
1.1 pavel 438: .It Li kern.defcorename ( KERN_DEFCORENAME )
439: Default template for the name of core dump files (see also
440: .Li proc.pid.corename
441: in the per-process variables
442: .Li proc.* ,
443: and
444: .Xr core 5
445: for format of this template).
446: The default value is
447: .Nm %n.core
448: and can be changed with the kernel configuration option
449: .Cd options DEFCORENAME
450: (see
451: .Xr options 4
452: ).
1.38 jruoho 453: .It Li kern.detachall
454: Detach all devices at shutdown.
1.1 pavel 455: .It Li kern.domainname ( KERN_DOMAINNAME )
456: Get or set the YP domain name.
457: .It Li kern.drivers ( KERN_DRIVERS )
458: Return an array of
459: .Va struct kinfo_drivers
460: that contains the name and major device numbers of all the device drivers
461: in the current kernel.
462: The
463: .Va d_name
464: field is always a NUL terminated string.
465: The
466: .Va d_bmajor
467: field will be set to \-1 if the driver doesn't have a block device.
1.39 jruoho 468: .It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC )
1.41 jruoho 469: Perform a crash dump on system
470: .Xr panic 9 .
1.1 pavel 471: .It Li kern.file ( KERN_FILE )
472: Return the entire file table.
473: The returned data consists of a single
474: .Va struct filelist
475: followed by an array of
476: .Va struct file ,
477: whose size depends on the current number of such objects in the system.
478: .It Li kern.forkfsleep ( KERN_FORKFSLEEP )
479: If
480: .Xr fork 2
481: system call fails due to limit on number of processes (either
482: the global maxproc limit or user's one), wait for this many
483: milliseconds before returning
484: .Er EAGAIN
485: error to process.
486: Useful to keep heavily forking runaway processes in bay.
487: Default zero (no sleep).
488: Maximum is 20 seconds.
489: .It Li kern.fscale ( KERN_FSCALE )
490: The kernel fixed-point scale factor.
491: .It Li kern.fsync ( KERN_FSYNC )
492: Return 1 if the POSIX 1003.1b File Synchronization Option is available
493: on this system,
494: otherwise 0.
495: .It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS )
496: Returns the number of
497: .Xr hardclock 9
498: ticks.
499: .It Li kern.hostid ( KERN_HOSTID )
1.39 jruoho 500: Get or set the host identifier.
501: This is aimed to replace the legacy
502: .Xr gethostid 3
503: and
504: .Xr sethostid 3
505: system calls.
1.1 pavel 506: .It Li kern.hostname ( KERN_HOSTNAME )
1.39 jruoho 507: Get or set the
508: .Xr hostname 1 .
1.1 pavel 509: .It Li kern.iov_max ( KERN_IOV_MAX )
510: Return the maximum number of
511: .Va iovec
512: structures that a process has available for use with
513: .Xr preadv 2 ,
514: .Xr pwritev 2 ,
515: .Xr readv 2 ,
516: .Xr recvmsg 2 ,
517: .Xr sendmsg 2
518: and
519: .Xr writev 2 .
1.39 jruoho 520: .It Li kern.ipc ( KERN_SYSVIPC )
521: Return information about the SysV IPC parameters.
522: The third level names for the ipc variables are detailed below.
523: .Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent
524: .It Sy Third level name Type Changeable
525: .It kern.ipc.sysvmsg integer no
526: .It kern.ipc.sysvsem integer no
527: .It kern.ipc.sysvshm integer no
528: .It kern.ipc.sysvipc_info struct no
529: .It kern.ipc.shmmax integer yes
530: .It kern.ipc.shmmni integer yes
531: .It kern.ipc.shmseg integer yes
532: .It kern.ipc.shmmaxpgs integer yes
533: .It kern.ipc.shm_use_phys integer yes
534: .It kern.ipc.msgmni integer yes
535: .It kern.ipc.msgseg integer yes
536: .It kern.ipc.semmni integer yes
537: .It kern.ipc.semmns integer yes
538: .It kern.ipc.semmnu integer yes
539: .El
540: .Bl -tag -width "123456"
541: .It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG )
542: Returns 1 if System V style message queue functionality is available
543: on this system,
544: otherwise 0.
545: .It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM )
546: Returns 1 if System V style semaphore functionality is available
547: on this system,
548: otherwise 0.
549: .It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM )
550: Returns 1 if System V style share memory functionality is available
551: on this system,
552: otherwise 0.
553: .It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO )
554: Return System V style IPC configuration and run-time information.
555: The fourth level name selects the System V style IPC facility.
556: .Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent
557: .It Sy Fourth level name Type
558: .It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
559: .It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
560: .It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
561: .El
562: .Pp
563: .Bl -tag -width "123456"
564: .It Li KERN_SYSVIPC_MSG_INFO
565: Return information on the System V style message facility.
566: The
567: .Sy msg_sysctl_info
568: structure is defined in
569: .In sys/msg.h .
570: .It Li KERN_SYSVIPC_SEM_INFO
571: Return information on the System V style semaphore facility.
572: The
573: .Sy sem_sysctl_info
574: structure is defined in
575: .In sys/sem.h .
576: .It Li KERN_SYSVIPC_SHM_INFO
577: Return information on the System V style shared memory facility.
578: The
579: .Sy shm_sysctl_info
580: structure is defined in
581: .In sys/shm.h .
582: .El
583: .It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX )
584: Max shared memory segment size in bytes.
585: .It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI )
586: Max number of shared memory identifiers.
587: .It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG )
588: Max shared memory segments per process.
589: .It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS )
590: Max amount of shared memory in pages.
591: .It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS )
592: Locking of shared memory in physical memory.
593: If 0, memory can be swapped
594: out, otherwise it will be locked in physical memory.
595: .It Li kern.ipc.msgmni
596: Max number of message queue identifiers.
597: .It Li kern.ipc.msgseg
598: Max number of number of message segments.
599: .It Li kern.ipc.semmni
600: Max number of number of semaphore identifiers.
601: .It Li kern.ipc.semmns
602: Max number of number of semaphores in system.
603: .It Li kern.ipc.semmnu
604: Max number of undo structures in system.
605: .El
1.1 pavel 606: .It Li kern.job_control ( KERN_JOB_CONTROL )
607: Return 1 if job control is available on this system, otherwise 0.
608: .It Li kern.labeloffset ( KERN_LABELOFFSET )
609: The offset within the sector specified by KERN_LABELSECTOR of the
610: .Xr disklabel 5 .
611: .It Li kern.labelsector ( KERN_LABELSECTOR )
612: The sector number containing the
613: .Xr disklabel 5 .
614: .It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX )
615: The size of the storage required for a login name, in bytes,
616: including the terminating NUL.
617: .It Li kern.logsigexit ( KERN_LOGSIGEXIT )
618: If this flag is non-zero, the kernel will
619: .Xr log 9
620: all process exits due to signals which create a
621: .Xr core 5
622: file, and whether the coredump was created.
623: .It Li kern.mapped_files ( KERN_MAPPED_FILES )
624: Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available
625: on this system,
626: otherwise 0.
627: .It Li kern.maxfiles ( KERN_MAXFILES )
628: The maximum number of open files that may be open in the system.
629: .It Li kern.maxpartitions ( KERN_MAXPARTITIONS )
630: The maximum number of partitions allowed per disk.
631: .It Li kern.maxphys ( KERN_MAXPHYS )
632: Maximum raw I/O transfer size.
633: .It Li kern.maxproc ( KERN_MAXPROC )
634: The maximum number of simultaneous processes the system will allow.
635: .It Li kern.maxptys ( KERN_MAXPTYS )
636: The maximum number of pseudo terminals.
637: This value can be both raised and lowered, though it cannot
638: be set lower than number of currently used ptys.
639: See also
640: .Xr pty 4 .
641: .It Li kern.maxvnodes ( KERN_MAXVNODES )
642: The maximum number of vnodes available on the system.
643: This can only be raised.
644: .It Li kern.mbuf ( KERN_MBUF )
645: Return information about the mbuf control variables.
646: Mbufs are data structures which store network packets and other data
647: structures in the networking code, see
648: .Xr mbuf 9 .
649: The third level names for the mbuf variables are detailed below.
650: The changeable column shows whether a process with appropriate
651: privilege may change the value.
1.21 joerg 652: .Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent
1.1 pavel 653: .It Sy Third level name Type Changeable
654: .\" XXX Changeable? really?
655: .It kern.mbuf.mblowat integer yes
656: .It kern.mbuf.mclbytes integer yes
657: .It kern.mbuf.mcllowat integer yes
658: .It kern.mbuf.msize integer yes
659: .It kern.mbuf.nmbclusters integer yes
660: .El
661: .Pp
662: The variables are as follows:
663: .Bl -tag -width "123456"
664: .It Li kern.mbuf.mblowat ( MBUF_MBLOWAT )
665: The mbuf low water mark.
666: .It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES )
667: The mbuf cluster size.
668: .It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT )
669: The mbuf cluster low water mark.
670: .It Li kern.mbuf.msize ( MBUF_MSIZE )
671: The mbuf base size.
672: .It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS )
673: The limit on the number of mbuf clusters.
674: The variable can only be increased, and only increased on machines with
675: direct-mapped pool pages.
676: .El
677: .It Li kern.memlock ( KERN_MEMLOCK )
678: Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available
679: on this system,
680: otherwise 0.
681: .It Li kern.memlock_range ( KERN_MEMLOCK_RANGE )
682: Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available
683: on this system,
684: otherwise 0.
685: .It Li kern.memory_protection ( KERN_MEMORY_PROTECTION )
686: Returns 1 if the POSIX 1003.1b Memory Protection Option is available
687: on this system,
688: otherwise 0.
1.42 jruoho 689: .It Li kern.module
690: Settings related to kernel modules.
691: The third level names for the settings are described below.
692: .Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent
693: .It Sy Third level name Type Changeable
694: .It kern.module.autoload integer yes
695: .It kern.module.verbose integer yes
696: .El
697: .Pp
698: The variables are as follows:
699: .Bl -tag -width "123456"
700: .It Li kern.module.autoload
701: A boolean that controls whether kernel modules are loaded automatically.
1.52 jruoho 702: See
1.53 ! jruoho 703: .Xr module 7
1.42 jruoho 704: for additional details.
705: .It Li kern.module.verbose
706: A boolean that enables or disables verbose
707: debug messages related to kernel modules.
708: .El
1.49 jruoho 709: .It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK )
710: Returns the standard version the implementation of the POSIX 1003.1b
711: Monotonic Clock Option conforms to,
712: otherwise 0.
1.48 jruoho 713: .It Li kern.mqueue
714: Settings related to
715: .Tn POSIX
716: message queues; see
717: .Xr mqueue 3 .
718: This node is created dynamically when
719: the corresponding kernel module is loaded.
720: The third level names for the settings are described below.
721: .Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent
722: .It Sy Third level name Type Changeable
723: .It kern.mqueue.mq_open_max integer yes
724: .It kern.mqueue.mq_prio_max integer yes
725: .It kern.mqueue.mq_max_msgsize integer yes
726: .It kern.mqueue.mq_def_maxmsg integer yes
727: .It kern.mqueue.mq_max_maxmsg integer yes
728: .El
729: .Pp
730: The variables are:
731: .Bl -tag -width "123456"
732: .It Li kern.mqueue.mq_open_max
733: The maximum number of message queue descriptors any single process can open.
734: .It Li kern.mqueue.mq_prio_max
735: The maximum priority of a message.
736: .It Li kern.mqueue.mq_max_msgsize
737: The maximum size of a message in a message queue.
738: .It Li kern.mqueue.mq_def_maxmsg
739: The default maximum message count.
740: .It Li kern.mqueue.mq_max_maxmsg
741: The maximum number of messages in a message queue.
742: .El
1.1 pavel 743: .It Li kern.msgbuf ( KERN_MSGBUF )
744: The kernel message buffer, rotated so that the head of the circular kernel
745: message buffer is at the start of the returned data.
746: The returned data may contain NUL bytes.
747: .It Li kern.msgbufsize ( KERN_MSGBUFSIZE )
748: The maximum number of characters that the kernel message buffer can hold.
749: .It Li kern.ngroups ( KERN_NGROUPS )
750: The maximum number of supplemental groups.
1.41 jruoho 751: .\" .It Li kern.no_sa_support
752: .\" XXX: Undocumented.
1.1 pavel 753: .It Li kern.ntptime ( KERN_NTPTIME )
754: A
755: .Va struct ntptimeval
756: structure is returned.
757: This structure contains data used by the
758: .Xr ntpd 8
759: program.
760: .It Li kern.osrelease ( KERN_OSRELEASE )
761: The system release string.
762: .It Li kern.osrevision ( KERN_OSREV )
763: The system revision string.
764: .It Li kern.ostype ( KERN_OSTYPE )
765: The system type string.
1.41 jruoho 766: .\".It Li kern.panic_now
767: .\" XXX: Undocumented.
1.1 pavel 768: .It Li kern.pipe ( KERN_PIPE )
769: Pipe settings.
770: The third level names for the integer pipe settings is detailed below.
771: The changeable column shows whether a process with appropriate
772: privilege may change the value.
1.21 joerg 773: .Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent
1.1 pavel 774: .It Sy Third level name Type Changeable
775: .It kern.pipe.kvasiz integer yes
776: .It kern.pipe.maxbigpipes integer yes
777: .It kern.pipe.maxkvasz integer yes
778: .It kern.pipe.limitkva integer yes
779: .It kern.pipe.nbigpipes integer yes
780: .El
781: .Pp
782: The variables are as follows:
783: .Bl -tag -width "123456"
784: .It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ )
785: Amount of kernel memory consumed by pipe buffers.
786: .It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES )
787: Maximum number of "big" pipes.
788: .It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ )
789: Maximum amount of kernel memory to be used for pipes.
790: .It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA )
791: Limit for direct transfers via page loan.
792: .It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES )
793: Number of "big" pipes.
794: .El
1.39 jruoho 795: .\" XXX: Undocumented .It Li kern.posix ( ? )
796: .\" This is a node in which the only variable is semmax.
1.1 pavel 797: .It Li kern.posix1version ( KERN_POSIX1 )
798: The version of ISO/IEC 9945 (POSIX 1003.1) with which the system
799: attempts to comply.
1.51 jruoho 800: .It Li kern.posix_aio
801: The version of
802: .St -p1003.1
803: and its Asynchronous I/O option to which the system attempts to conform.
1.1 pavel 804: .It Li kern.posix_barriers ( KERN_POSIX_BARRIERS )
805: The version of
806: .St -p1003.1
807: and its
808: Barriers
809: option to which the system attempts to conform,
810: otherwise 0.
811: .It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS )
812: The version of
813: .St -p1003.1
814: and its
815: Read-Write Locks
816: option to which the system attempts to conform,
817: otherwise 0.
1.41 jruoho 818: .\".It Li kern.posix_sched
819: .\" XXX: Undocumented.
1.1 pavel 820: .It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES )
821: The version of
822: .St -p1003.1
823: and its
824: Semaphores
825: option to which the system attempts to conform,
826: otherwise 0.
827: .It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS )
828: The version of
829: .St -p1003.1
830: and its
831: Spin Locks
832: option to which the system attempts to conform,
833: otherwise 0.
834: .It Li kern.posix_threads ( KERN_POSIX_THREADS )
835: The version of
836: .St -p1003.1
837: and its
838: Threads
839: option to which the system attempts to conform,
840: otherwise 0.
841: .It Li kern.posix_timers ( KERN_POSIX_TIMERS )
842: The version of
843: .St -p1003.1
844: and its
845: Timers
846: option to which the system attempts to conform,
847: otherwise 0.
848: .It Li kern.proc ( KERN_PROC )
849: Return the entire process table, or a subset of it.
850: An array of
851: .Va struct kinfo_proc
852: structures is returned,
853: whose size depends on the current number of such objects in the system.
854: The third and fourth level numeric names are as follows:
1.21 joerg 855: .Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent
1.1 pavel 856: .It Sy Third level name Fourth level is:
1.21 joerg 857: .It KERN_PROC_ALL None
858: .It KERN_PROC_GID A group ID
859: .It KERN_PROC_PID A process ID
860: .It KERN_PROC_PGRP A process group
861: .It KERN_PROC_RGID A real group ID
862: .It KERN_PROC_RUID A real user ID
863: .It KERN_PROC_SESSION A session ID
864: .It KERN_PROC_TTY A tty device
865: .It KERN_PROC_UID A user ID
1.1 pavel 866: .El
867: .It Li kern.proc2 ( KERN_PROC2 )
868: As for KERN_PROC, but an array of
869: .Va struct kinfo_proc2
870: structures are returned.
871: The fifth level name is the size of the
872: .Va struct kinfo_proc2
873: and the sixth level name is the number of structures to return.
874: .It Li kern.proc_args ( KERN_PROC_ARGS )
875: Return the argv or environment strings (or the number thereof)
876: of a process.
877: Multiple strings are returned separated by NUL characters.
878: The third level name is the process ID.
879: The fourth level name is as follows:
1.21 joerg 880: .Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent
881: .It KERN_PROC_ARGV The argv strings
882: .It KERN_PROC_ENV The environ strings
883: .It KERN_PROC_NARGV The number of argv strings
884: .It KERN_PROC_NENV The number of environ strings
1.1 pavel 885: .El
886: .It Li kern.profiling ( KERN_PROF )
887: Return profiling information about the kernel.
888: If the kernel is not compiled for profiling,
889: attempts to retrieve any of the KERN_PROF values will
890: fail with
891: .Er EOPNOTSUPP .
892: The third level names for the string and integer profiling information
893: is detailed below.
894: The changeable column shows whether a process with appropriate
895: privilege may change the value.
1.21 joerg 896: .Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent
1.1 pavel 897: .It Sy Third level name Type Changeable
898: .It kern.profiling.count u_short[\|] yes
899: .It kern.profiling.froms u_short[\|] yes
900: .It kern.profiling.gmonparam struct gmonparam no
901: .It kern.profiling.state integer yes
902: .It kern.profiling.tos struct tostruct yes
903: .El
904: .Pp
905: The variables are as follows:
906: .Bl -tag -width "123456"
907: .It Li kern.profiling.count ( GPROF_COUNT )
908: Array of statistical program counter counts.
909: .It Li kern.profiling.froms ( GPROF_FROMS )
910: Array indexed by program counter of call-from points.
911: .It Li kern.profiling.gmonparams ( GPROF_GMONPARAM )
912: Structure giving the sizes of the above arrays.
913: .It Li kern.profiling.state ( GPROF_STATE )
914: Profiling state.
915: If set to GMON_PROF_ON, starts profiling.
916: If set to GMON_PROF_OFF, stops profiling.
917: .It Li kern.profiling.tos ( GPROF_TOS )
918: Array of
919: .Va struct tostruct
920: describing destination of calls and their counts.
921: .El
1.41 jruoho 922: .\" .It Li kern.pset
923: .\" XXX: Undocumented.
1.1 pavel 924: .It Li kern.rawpartition ( KERN_RAWPARTITION )
925: The raw partition of a disk (a == 0).
926: .It Li kern.root_device ( KERN_ROOT_DEVICE )
927: The name of the root device (e.g.,
928: .Dq wd0 ) .
929: .It Li kern.root_partition ( KERN_ROOT_PARTITION )
930: The root partition on the root device (a == 0).
931: .It Li kern.rtc_offset ( KERN_RTC_OFFSET )
932: Return the offset of real time clock from UTC in minutes.
933: .It Li kern.saved_ids ( KERN_SAVED_IDS )
934: Returns 1 if saved set-group and saved set-user ID is available.
935: .It Li kern.sbmax ( KERN_SBMAX )
936: Maximum socket buffer size.
937: .\" XXX units?
938: .It Li kern.securelevel ( KERN_SECURELVL )
1.25 elad 939: See
940: .Xr secmodel_securelevel 9 .
1.41 jruoho 941: .\" .It Li kern.sched
942: .\" XXX: Undocumented.
1.1 pavel 943: .It Li kern.somaxkva ( KERN_SOMAXKVA )
944: Maximum amount of kernel memory to be used for socket buffers.
945: .\" XXX units?
946: .It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO )
947: Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available
948: on this system,
949: otherwise 0.
1.19 christos 950: .It Li kern.timecounter ( dynamic )
951: Display and control the timecounter source of the system.
1.21 joerg 952: .Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent
1.19 christos 953: .It Sy Third level name Type Changeable
954: .It kern.timecounter.choice string no
955: .It kern.timecounter.hardware string yes
956: .It kern.timecounter.timestepwarnings integer yes
957: .El
958: .Pp
959: The variables are as follows:
960: .Bl -tag -width "123456"
961: .It Li kern.timecounter.choice ( dynamic )
962: The list of available timecounters with their quality and frequency.
963: .It Li kern.timecounter.hardware ( dynamic )
964: The currently selected timecounter source.
965: .It Li kern.timecounter.timestepwarnings ( dynamic )
966: If non-zero display a message each time the time is stepped.
967: .El
1.1 pavel 968: .It Li kern.timex ( KERN_TIMEX )
969: Not available.
970: .It Li kern.tkstat ( KERN_TKSTAT )
971: Return information about the number of characters sent and received
972: on ttys.
973: The third level names for the tty statistic variables are detailed below.
974: The changeable column shows whether a process
975: with appropriate privilege may change the value.
1.21 joerg 976: .Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent
1.1 pavel 977: .It Sy Third level name Type Changeable
978: .It kern.tkstat.cancc quad no
979: .It kern.tkstat.nin quad no
980: .It kern.tkstat.nout quad no
981: .It kern.tkstat.rawcc quad no
982: .El
983: .Pp
984: The variables are as follows:
985: .Bl -tag -width "123456"
986: .It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC )
987: The number of canonical input characters.
988: .It Li kern.tkstat.nin ( KERN_TKSTAT_NIN )
989: The total number of input characters.
990: .It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT )
991: The total number of output characters.
992: .It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC )
993: The number of raw input characters.
994: .El
995: .It Li kern.urandom ( KERN_URND )
996: Random integer value.
1.45 jruoho 997: .It Li kern.usercrypto
998: When enabled, allows userland to
999: .Xr open 2
1000: the
1001: .Pa /dev/crypto
1002: special device, used by the
1003: .Xr crypto 4
1004: system.
1005: .It Li kern.userasymcrypto
1006: Enables or disables the use of software asymmetric crypto support in the
1007: .Xr crypto 4
1008: system.
1.1 pavel 1009: .It Li kern.veriexec
1.40 jruoho 1010: Runtime information for
1011: .Xr veriexec 8 .
1012: .Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent
1013: .It Sy Third level name Type Changeable
1014: .It kern.veriexec.algorithms string no
1015: .It kern.veriexec.count node not applicable
1016: .It kern.veriexec.strict integer yes
1017: .It kern.veriexec.verbose integer yes
1018: .El
1.1 pavel 1019: .Bl -tag -width "123456"
1020: .It Li kern.veriexec.algorithms
1021: Returns a string with the supported algorithms in Veriexec.
1022: .It Li kern.veriexec.count
1023: Sub-nodes are added to this node as new mounts are monitored by Veriexec.
1024: Each mount will be under its own
1025: .No tableN
1026: node.
1027: Under each node there will be three variables, indicating the mount
1028: point, the file-system type, and the number of entries.
1029: .It Li kern.veriexec.strict
1030: Controls the strict level of Veriexec.
1031: See
1032: .Xr security 8
1033: for more information on each level's implications.
1034: .It Li kern.veriexec.verbose
1035: Controls the verbosity level of Veriexec.
1036: If 0, only the minimal
1037: indication required will be given about what's happening - fingerprint
1038: mismatches, removal of entries from the tables, modification of a
1039: fingerprinted file.
1040: If 1, more messages will be printed (ie., when a file with a valid
1041: fingerprint is accessed).
1042: Verbose level 2 is debug mode.
1043: .El
1044: .It Li kern.version ( KERN_VERSION )
1045: The system version string.
1046: .It Li kern.vnode ( KERN_VNODE )
1047: Return the entire vnode table.
1048: Note, the vnode table is not necessarily a consistent snapshot of
1049: the system.
1050: The returned data consists of an array whose size depends on the
1051: current number of such objects in the system.
1052: Each element of the array contains the kernel address of a vnode
1053: .Va struct vnode *
1054: followed by the vnode itself
1055: .Va struct vnode .
1.43 jruoho 1056: .\" XXX: Undocumented: kern.lwp: no children?
1.1 pavel 1057: .El
1.50 jruoho 1058: .Ss The machdep.* subtree
1.1 pavel 1059: The set of variables defined is architecture dependent.
1060: Most architectures define at least the following variables.
1.43 jruoho 1061: .Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent
1.1 pavel 1062: .It Sy Second level name Type Changeable
1.43 jruoho 1063: .It Li machdep.booted_kernel string no
1.1 pavel 1064: .El
1.43 jruoho 1065: .\" XXX: Document the above.
1.50 jruoho 1066: .Ss The net.* subtree
1.1 pavel 1067: The string and integer information available for the
1068: .Li net
1069: level is detailed below.
1070: The changeable column shows whether a process with appropriate
1071: privilege may change the value.
1072: The second and third levels are typically the protocol family and
1073: protocol number, though this is not always the case.
1.21 joerg 1074: .Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent
1.1 pavel 1075: .It Sy Second level name Type Changeable
1076: .It net.route routing messages no
1077: .It net.inet IPv4 values yes
1078: .It net.inet6 IPv6 values yes
1079: .It net.key IPsec key management values yes
1080: .El
1081: .Pp
1082: .Bl -tag -width "123456"
1083: .It Li net.route ( PF_ROUTE )
1084: .\" XXX really?
1085: Return the entire routing table or a subset of it.
1086: The data is returned as a sequence of routing messages (see
1087: .Xr route 4
1088: for the header file, format and meaning).
1089: The length of each message is contained in the message header.
1090: .Pp
1091: The third level name is a protocol number, which is currently always 0.
1092: The fourth level name is an address family, which may be set to 0 to
1093: select all address families.
1094: The fifth and sixth level names are as follows:
1.21 joerg 1095: .Bl -column "Fifth level name" "Sixth level is:" -offset indent
1.1 pavel 1096: .It Sy Fifth level name Sixth level is:
1.21 joerg 1097: .It NET_RT_FLAGS rtflags
1098: .It NET_RT_DUMP None
1099: .It NET_RT_IFLIST None
1.1 pavel 1100: .El
1101: .It Li net.inet ( PF_INET )
1102: Get or set various global information about the IPv4
1103: .Pq Internet Protocol version 4 .
1104: The third level name is the protocol.
1105: The fourth level name is the variable name.
1106: The currently defined protocols and names are:
1.21 joerg 1107: .Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n
1.1 pavel 1108: .It Sy Protocol name Variable name Type Changeable
1109: .It arp down integer yes
1110: .It arp keep integer yes
1111: .It arp prune integer yes
1112: .It arp refresh integer yes
1113: .It carp allow integer yes
1114: .It carp preempt integer yes
1115: .It carp log integer yes
1116: .It carp arpbalance integer yes
1117: .It icmp errppslimit integer yes
1118: .It icmp maskrepl integer yes
1119: .It icmp rediraccept integer yes
1120: .It icmp redirtimeout integer yes
1.28 christos 1121: .It icmp bmcastecho integer yes
1.1 pavel 1122: .It ip allowsrcrt integer yes
1123: .It ip anonportmax integer yes
1124: .It ip anonportmin integer yes
1125: .It ip checkinterface integer yes
1126: .It ip directed-broadcast integer yes
1127: .It ip do_loopback_cksum integer yes
1128: .It ip forwarding integer yes
1129: .It ip forwsrcrt integer yes
1130: .It ip gifttl integer yes
1131: .It ip grettl integer yes
1.8 liamjfoy 1132: .It ip hashsize integer yes
1.1 pavel 1133: .It ip hostzerobroadcast integer yes
1134: .It ip lowportmin integer yes
1135: .It ip lowportmax integer yes
1136: .It ip maxflows integer yes
1137: .It ip maxfragpackets integer yes
1138: .It ip mtudisc integer yes
1139: .It ip mtudisctimeout integer yes
1140: .It ip random_id integer yes
1141: .It ip redirect integer yes
1142: .It ip subnetsarelocal integer yes
1143: .It ip ttl integer yes
1144: .It tcp rfc1323 integer yes
1145: .It tcp sendspace integer yes
1146: .It tcp recvspace integer yes
1147: .It tcp mssdflt integer yes
1148: .It tcp syn_cache_limit integer yes
1149: .It tcp syn_bucket_limit integer yes
1150: .It tcp syn_cache_interval integer yes
1151: .It tcp init_win integer yes
1152: .It tcp init_win_local integer yes
1153: .It tcp mss_ifmtu integer yes
1154: .It tcp win_scale integer yes
1155: .It tcp timestamps integer yes
1156: .It tcp compat_42 integer yes
1157: .It tcp cwm integer yes
1158: .It tcp cwm_burstsize integer yes
1159: .It tcp ack_on_push integer yes
1160: .It tcp keepidle integer yes
1161: .It tcp keepintvl integer yes
1162: .It tcp keepcnt integer yes
1163: .It tcp slowhz integer no
1.12 christos 1164: .It tcp keepinit integer yes
1.1 pavel 1165: .It tcp log_refused integer yes
1166: .It tcp rstppslimit integer yes
1167: .It tcp ident struct no
1.13 christos 1168: .It tcp drop struct no
1.1 pavel 1169: .It tcp sack.enable integer yes
1170: .It tcp sack.globalholes integer no
1171: .It tcp sack.globalmaxholes integer yes
1172: .It tcp sack.maxholes integer yes
1173: .It tcp ecn.enable integer yes
1174: .It tcp ecn.maxretries integer yes
1175: .It tcp congctl.selected string yes
1176: .It tcp congctl.available string yes
1177: .It tcp abc.enable integer yes
1178: .It tcp abc.aggressive integer yes
1179: .It udp checksum integer yes
1180: .It udp do_loopback_cksum integer yes
1181: .It udp recvspace integer yes
1182: .It udp sendspace integer yes
1183: .El
1184: .Pp
1185: The variables are as follows:
1186: .Bl -tag -width "123456"
1187: .It Li arp.down
1188: Failed ARP entry lifetime.
1189: .It Li arp.keep
1190: Valid ARP entry lifetime.
1191: .It Li arp.prune
1192: ARP cache pruning interval.
1193: .It Li arp.refresh
1194: ARP entry refresh interval.
1195: .It Li carp.allow
1196: If set to 0, incoming
1197: .Xr carp 4
1198: packets will not be processed.
1199: If set to any other value, processing will occur.
1200: Enabled by default.
1201: .It Li carp.arpbalance
1202: If set to any value other than 0, the ARP balancing functionality of
1203: .Xr carp 4
1204: is enabled.
1205: When ARP requests are received for an IP address which is part of any virtual
1206: host, carp will hash the source IP in the ARP request to select one of the
1207: virtual hosts from the set of all the virtual hosts which have that IP address.
1208: The master of that host will respond with the correct virtual MAC address.
1209: Disabled by default.
1210: .It Li carp.log
1211: If set to any value other than 0,
1212: .Xr carp 4
1213: will log errors.
1214: Disabled by default.
1215: .It Li carp.preempt
1216: If set to 0,
1217: .Xr carp 4
1218: will not attempt to become master if it is receiving advertisements from
1219: another active master.
1220: If set to any other value, carp will become master of the virtual host if it
1221: believes it can send advertisements more frequently than the current master.
1222: Disabled by default.
1223: .It Li ip.allowsrcrt
1224: If set to 1, the host accepts source routed packets.
1225: .It Li ip.anonportmax
1226: The highest port number to use for TCP and UDP ephemeral port allocation.
1227: This cannot be set to less than 1024 or greater than 65535, and must
1228: be greater than
1229: .Li ip.anonportmin .
1230: .It Li ip.anonportmin
1231: The lowest port number to use for TCP and UDP ephemeral port allocation.
1232: This cannot be set to less than 1024 or greater than 65535.
1233: .It Li ip.checkinterface
1234: If set to non-zero, the host will reject packets addressed to it
1235: that arrive on an interface not bound to that address.
1236: Currently, this must be disabled if ipnat is used to translate the
1237: destination address to another local interface, or if addresses
1238: are added to the loopback interface instead of the interface where
1239: the packets for those packets are received.
1240: .It Li ip.directed-broadcast
1241: If set to 1, enables directed broadcast behavior for the host.
1242: .It Li ip.do_loopback_cksum
1243: Perform IP checksum on loopback.
1244: .It Li ip.forwarding
1245: If set to 1, enables IP forwarding for the host,
1246: meaning that the host is acting as a router.
1247: .It Li ip.forwsrcrt
1248: If set to 1, enables forwarding of source-routed packets for the host.
1249: This value may only be changed if the kernel security level is less than 1.
1250: .It Li ip.gifttl
1251: The maximum time-to-live (hop count) value for an IPv4 packet generated by
1252: .Xr gif 4
1253: tunnel interface.
1254: .It Li ip.grettl
1255: The maximum time-to-live (hop count) value for an IPv4 packet generated by
1256: .Xr gre 4
1257: tunnel interface.
1.8 liamjfoy 1258: .It Li ip.hashsize
1259: The size of IPv4 Fast Forward hash table.
1260: This value must be a power of 2 (64, 256...).
1261: A larger hash table size results in fewer collisions.
1262: Also see
1263: .Li ip.maxflows .
1.1 pavel 1264: .It Li ip.hostzerobroadcast
1265: All zeroes address is broadcast address.
1266: .It Li ip.lowportmax
1267: The highest port number to use for TCP and UDP reserved port allocation.
1268: This cannot be set to less than 0 or greater than 1024, and must
1269: be greater than
1270: .Li ip.lowportmin .
1271: .It Li ip.lowportmin
1272: The lowest port number to use for TCP and UDP reserved port allocation.
1273: This cannot be set to less than 0 or greater than 1024, and must
1274: be smaller than
1275: .Li ip.lowportmax .
1276: .It Li ip.maxflows
1.5 liamjfoy 1277: IPv4 Fast Forwarding is enabled by default.
1278: If set to 0, IPv4 Fast Forwarding is disabled.
1.1 pavel 1279: .Li ip.maxflows
1280: controls the maximum amount of flows which can be created.
1281: The default value is 256.
1282: .It Li ip.maxfragpackets
1283: The maximum number of fragmented packets the node will accept.
1284: 0 means that the node will not accept any fragmented packets.
1285: \-1 means that the node will accept as many fragmented packets as it receives.
1286: The flag is provided basically for avoiding possible DoS attacks.
1287: .It Li ip.mtudisc
1288: If set to 1, enables Path MTU Discovery (RFC 1191).
1289: When Path MTU Discovery is enabled, the transmitted TCP segment
1290: size will be determined by the advertised maximum segment size
1291: (MSS) from the remote end, as constrained by the path MTU.
1292: If MTU Discovery is disabled, the transmitted segment size will
1293: never be greater than
1294: .Li tcp.mssdflt
1295: (the local maximum segment size).
1296: .It Li ip.mtudisctimeout
1297: The number of seconds in which a route added by the Path MTU
1298: Discovery engine will time out.
1299: When the route times out, the Path
1300: MTU Discovery engine will attempt to probe a larger path MTU.
1301: .It Li ip.random_id
1302: Assign random ip_id values.
1303: .It Li ip.redirect
1304: If set to 1, ICMP redirects may be sent by the host.
1305: This option is ignored unless the host is routing IP packets,
1306: and should normally be enabled on all systems.
1307: .It Li ip.subnetsarelocal
1308: If set to 1, subnets are to be considered local addresses.
1309: .It Li ip.ttl
1310: The maximum time-to-live (hop count) value for an IP packet sourced by
1311: the system.
1312: This value applies to normal transport protocols, not to ICMP.
1313: .It Li icmp.errppslimit
1314: The variable specifies the maximum number of outgoing ICMP error messages,
1315: per second.
1316: ICMP error messages that exceeded the value are subject to rate limitation
1317: and will not go out from the node.
1318: Negative value disables rate limitation.
1319: .It Li icmp.maskrepl
1320: If set to 1, ICMP network mask requests are to be answered.
1321: .It Li icmp.rediraccept
1322: If set to non-zero, the host will accept ICMP redirect packets.
1323: Note that routers will never accept ICMP redirect packets,
1324: and the variable is meaningful on IP hosts only.
1325: .It Li icmp.redirtimeout
1326: The variable specifies lifetime of routing entries generated by incoming
1327: ICMP redirect.
1328: This defaults to 600 seconds.
1329: .It Li icmp.returndatabytes
1330: Number of bytes to return in an ICMP error message.
1.28 christos 1331: .It Li icmp.bmcastecho
1332: If set to 1, enables responding to ICMP echo or timestamp request to the
1333: broadcast address.
1.1 pavel 1334: .It Li tcp.ack_on_push
1335: If set to 1, TCP is to immediately transmit an ACK upon reception of
1336: a packet with PUSH set.
1337: This can avoid losing a round trip time in some rare situations,
1338: but has the caveat of potentially defeating TCP's delayed ACK algorithm.
1339: Use of this option is generally not recommended, but
1340: the variable exists in case your configuration really needs it.
1341: .It Li tcp.compat_42
1342: If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation.
1343: Use of this option is not recommended, although it may be
1344: required in order to communicate with extremely old TCP implementations.
1345: .It Li tcp.cwm
1346: If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
1347: Monitoring algorithm.
1348: This algorithm prevents line-rate bursts of packets that could
1349: otherwise occur when data begins flowing on an idle TCP connection.
1350: These line-rate bursts can contribute to network and router congestion.
1351: This can be particularly useful on World Wide Web servers
1352: which support HTTP/1.1, which has lingering connections.
1353: .It Li tcp.cwm_burstsize
1354: The Congestion Window Monitoring allowed burst size, in terms
1355: of packet count.
1356: .It Li tcp.delack_ticks
1357: Number of ticks to delay sending an ACK.
1358: .It Li tcp.do_loopback_cksum
1359: Perform TCP checksum on loopback.
1360: .It Li tcp.init_win
1361: A value indicating the TCP initial congestion window.
1362: If this value is 0, an auto-tuning algorithm designed to use an initial
1363: window of approximately 4K bytes is in use.
1364: Otherwise, this value indicates a fixed number of packets.
1365: .It Li tcp.init_win_local
1366: Like
1367: .Li tcp.init_win ,
1368: but used when communicating with hosts on a local network.
1369: .It Li tcp.keepcnt
1370: Number of keepalive probes sent before declaring a connection dead.
1371: If set to zero, there is no limit;
1372: keepalives will be sent until some kind of
1373: response is received from the peer.
1374: .It Li tcp.keepidle
1375: Time a connection must be idle before keepalives are sent (if keepalives
1376: are enabled for the connection).
1377: See also tcp.slowhz.
1378: .It Li tcp.keepintvl
1379: Time after a keepalive probe is sent until, in the absence of any response,
1380: another probe is sent.
1381: See also tcp.slowhz.
1382: .It Li tcp.log_refused
1383: If set to 1, refused TCP connections to the host will be logged.
1.12 christos 1384: .It Li tcp.keepinit
1385: Timeout in seconds during connection establishment.
1.1 pavel 1386: .It Li tcp.mss_ifmtu
1387: If set to 1, TCP calculates the outgoing maximum segment size based on
1388: the MTU of the appropriate interface.
1389: If set to 0, it is calculated based on the greater of the MTU of the
1390: interface, and the largest (non-loopback) interface MTU on the system.
1391: .It Li tcp.mssdflt
1392: The default maximum segment size both advertised to the peer
1393: and to use when either the peer does not advertise a maximum segment size to
1394: us during connection setup or Path MTU Discovery
1395: .Li ( ip.mtudisc )
1396: is disabled.
1397: Do not change this value unless you really know what you are doing.
1398: .It Li tcp.recvspace
1399: The default TCP receive buffer size.
1400: .It Li tcp.rfc1323
1401: If set to 1, enables RFC 1323 extensions to TCP.
1402: .It Li tcp.rstppslimit
1403: The variable specifies the maximum number of outgoing TCP RST packets,
1404: per second.
1405: TCP RST packet that exceeded the value are subject to rate limitation
1406: and will not go out from the node.
1407: Negative value disables rate limitation.
1.13 christos 1408: .It Li tcp.ident
1409: Return the user ID of a connected socket pair.
1410: (RFC1413 Identification Protocol lookups.)
1411: .It Li tcp.drop
1412: Drop a TCP socket pair connection.
1.1 pavel 1413: .It Li tcp.sack.enable
1414: If set to 1, enables RFC 2018 Selective ACKnowledgement.
1415: .It Li tcp.sack.globalholes
1416: Global number of TCP SACK holes.
1417: .It Li tcp.sack.globalmaxholes
1418: Global maximum number of TCP SACK holes.
1419: .It Li tcp.sack.maxholes
1420: Maximum number of TCP SACK holes allowed per connection.
1421: .It Li tcp.ecn.enable
1422: If set to 1, enables RFC 3168 Explicit Congestion Notification.
1423: .It Li tcp.ecn.maxretries
1424: Number of times to retry sending the ECN-setup packet.
1425: .It Li tcp.sendspace
1426: The default TCP send buffer size.
1427: .It Li tcp.slowhz
1428: The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
1429: of a clock that ticks tcp.slowhz times per second.
1430: (That is, their values
1431: must be divided by the tcp.slowhz value to get times in seconds.)
1432: .It Li tcp.syn_bucket_limit
1433: The maximum number of entries allowed per hash bucket in the TCP
1434: compressed state engine.
1435: .It Li tcp.syn_cache_limit
1436: The maximum number of entries allowed in the TCP compressed state
1437: engine.
1438: .It Li tcp.timestamps
1439: If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
1440: used for measuring TCP round trip times, are enabled.
1441: .It Li tcp.win_scale
1442: If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
1443: for increasing the TCP window size, are enabled.
1444: .It Li tcp.congctl.available
1445: The available TCP congestion control algorithms.
1446: .It Li tcp.congctl.selected
1447: The currently selected TCP congestion control algorithm.
1448: .It Li tcp.abc.enable
1449: If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
1450: If set to 0, use traditional Packet Counting.
1451: .It Li tcp.abc.aggressive
1452: Choose the L parameter found in RFC 3465.
1453: L is the maximum cwnd increase for an ack during slow start.
1454: If set to 1, use L=2*SMSS.
1455: If set to 0, use L=1*SMSS.
1456: It has no effect unless tcp.abc.enable is set to 1.
1457: .It Li udp.checksum
1458: If set to 1, UDP checksums are being computed.
1459: Received non-zero UDP checksums are always checked.
1460: Disabling UDP checksums is strongly discouraged.
1461: .It Li udp.sendspace
1462: The default UDP send buffer size.
1463: .It Li udp.recvspace
1464: The default UDP receive buffer size.
1465: .El
1466: .Pp
1467: For variables net.*.ipsec, please refer to
1468: .Xr ipsec 4 .
1469: .It Li net.inet6 ( PF_INET6 )
1470: Get or set various global information about the IPv6
1471: .Pq Internet Protocol version 6 .
1472: The third level name is the protocol.
1473: The fourth level name is the variable name.
1474: The currently defined protocols and names are:
1.21 joerg 1475: .Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent
1.1 pavel 1476: .It Sy Protocol name Variable name Type Changeable
1477: .It icmp6 errppslimit integer yes
1478: .It icmp6 mtudisc_hiwat integer yes
1479: .It icmp6 mtudisc_lowat integer yes
1480: .It icmp6 nd6_debug integer yes
1481: .It icmp6 nd6_delay integer yes
1482: .It icmp6 nd6_maxnudhint integer yes
1483: .It icmp6 nd6_mmaxtries integer yes
1484: .It icmp6 nd6_prune integer yes
1485: .It icmp6 nd6_umaxtries integer yes
1486: .It icmp6 nd6_useloopback integer yes
1487: .It icmp6 nodeinfo integer yes
1488: .It icmp6 rediraccept integer yes
1489: .It icmp6 redirtimeout integer yes
1490: .It ip6 accept_rtadv integer yes
1491: .It ip6 anonportmax integer yes
1492: .It ip6 anonportmin integer yes
1493: .It ip6 auto_flowlabel integer yes
1494: .It ip6 dad_count integer yes
1495: .It ip6 defmcasthlim integer yes
1496: .It ip6 forwarding integer yes
1497: .It ip6 gifhlim integer yes
1.7 liamjfoy 1498: .It ip6 hashsize integer yes
1.1 pavel 1499: .It ip6 hlim integer yes
1500: .It ip6 hdrnestlimit integer yes
1501: .It ip6 kame_version string no
1502: .It ip6 keepfaith integer yes
1503: .It ip6 log_interval integer yes
1504: .It ip6 lowportmax integer yes
1505: .It ip6 lowportmin integer yes
1.5 liamjfoy 1506: .It ip6 maxflows integer yes
1.1 pavel 1507: .It ip6 maxfragpackets integer yes
1508: .It ip6 maxfrags integer yes
1509: .It ip6 redirect integer yes
1510: .It ip6 rr_prune integer yes
1511: .It ip6 use_deprecated integer yes
1512: .It ip6 v6only integer yes
1513: .It udp6 do_loopback_cksum integer yes
1514: .It udp6 recvspace integer yes
1515: .It udp6 sendspace integer yes
1516: .El
1517: .Pp
1518: The variables are as follows:
1519: .Bl -tag -width "123456"
1520: .It Li ip6.accept_rtadv
1521: If set to non-zero, the node will accept ICMPv6 router advertisement packets
1522: and autoconfigures address prefixes and default routers.
1523: The node must be a host
1524: .Pq not a router
1525: for the option to be meaningful.
1526: .It Li ip6.anonportmax
1527: The highest port number to use for TCP and UDP ephemeral port allocation.
1528: This cannot be set to less than 1024 or greater than 65535, and must
1529: be greater than
1530: .Li ip6.anonportmin .
1531: .It Li ip6.anonportmin
1532: The lowest port number to use for TCP and UDP ephemeral port allocation.
1533: This cannot be set to less than 1024 or greater than 65535.
1534: .It Li ip6.auto_flowlabel
1535: On connected transport protocol packets,
1536: fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
1537: .It Li ip6.dad_count
1538: The variable configures number of IPv6 DAD
1539: .Pq duplicated address detection
1540: probe packets.
1541: The packets will be generated when IPv6 interface addresses are configured.
1542: .It Li ip6.defmcasthlim
1543: The default hop limit value for an IPv6 multicast packet sourced by the node.
1544: This value applies to all the transport protocols on top of IPv6.
1545: There are APIs to override the value, as documented in
1546: .Xr ip6 4 .
1547: .It Li ip6.forwarding
1548: If set to 1, enables IPv6 forwarding for the node,
1549: meaning that the node is acting as a router.
1550: If set to 0, disables IPv6 forwarding for the node,
1551: meaning that the node is acting as a host.
1552: IPv6 specification defines node behavior for
1553: .Dq router
1554: case and
1555: .Dq host
1556: case quite differently, and changing this variable during operation
1557: may cause serious trouble.
1558: It is recommended to configure the variable at bootstrap time,
1559: and bootstrap time only.
1560: .It Li ip6.gifhlim
1561: The maximum hop limit value for an IPv6 packet generated by
1562: .Xr gif 4
1563: tunnel interface.
1564: .It Li ip6.hdrnestlimit
1565: The number of IPv6 extension headers permitted on incoming IPv6 packets.
1566: If set to 0, the node will accept as many extension headers as possible.
1.7 liamjfoy 1567: .It Li ip6.hashsize
1568: The size of IPv6 Fast Forward hash table.
1569: This value must be a power of 2 (64, 256...).
1570: A larger hash table size results in fewer collisions.
1571: Also see
1572: .Li ip6.maxflows .
1.1 pavel 1573: .It Li ip6.hlim
1574: The default hop limit value for an IPv6 unicast packet sourced by the node.
1575: This value applies to all the transport protocols on top of IPv6.
1576: There are APIs to override the value, as documented in
1577: .Xr ip6 4 .
1578: .It Li ip6.kame_version
1579: The string identifies the version of KAME IPv6 stack implemented in the kernel.
1580: .It Li ip6.keepfaith
1581: If set to non-zero, it enables
1582: .Dq FAITH
1583: TCP relay IPv6-to-IPv4 translator code in the kernel.
1584: Refer
1585: .Xr faith 4
1586: and
1587: .Xr faithd 8
1588: for detail.
1589: .It Li ip6.log_interval
1590: The variable controls amount of logs generated by IPv6 packet
1591: forwarding engine, by setting interval between log output
1592: .Pq in seconds .
1593: .It Li ip6.lowportmax
1594: The highest port number to use for TCP and UDP reserved port allocation.
1595: This cannot be set to less than 0 or greater than 1024, and must
1596: be greater than
1597: .Li ip6.lowportmin .
1598: .It Li ip6.lowportmin
1599: The lowest port number to use for TCP and UDP reserved port allocation.
1600: This cannot be set to less than 0 or greater than 1024, and must
1601: be smaller than
1602: .Li ip6.lowportmax .
1.5 liamjfoy 1603: .It Li ip6.maxflows
1604: IPv6 Fast Forwarding is enabled by default.
1605: If set to 0, IPv6 Fast Forwarding is disabled.
1606: .Li ip6.maxflows
1607: controls the maximum amount of flows which can be created.
1.6 liamjfoy 1608: The default value is 256.
1.1 pavel 1609: .It Li ip6.maxfragpackets
1610: The maximum number of fragmented packets the node will accept.
1611: 0 means that the node will not accept any fragmented packets.
1612: \-1 means that the node will accept as many fragmented packets as it receives.
1613: The flag is provided basically for avoiding possible DoS attacks.
1614: .It Li ip6.maxfrags
1615: The maximum number of fragments the node will accept.
1616: 0 means that the node will not accept any fragments.
1617: \-1 means that the node will accept as many fragments as it receives.
1618: The flag is provided basically for avoiding possible DoS attacks.
1619: .It Li ip6.redirect
1620: If set to 1, ICMPv6 redirects may be sent by the node.
1621: This option is ignored unless the node is routing IP packets,
1622: and should normally be enabled on all systems.
1623: .It Li ip6.rr_prune
1624: The variable specifies interval between IPv6 router renumbering prefix
1625: babysitting, in seconds.
1626: .It Li ip6.use_deprecated
1627: The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
1628: .It Li ip6.v6only
1629: The variable specifies initial value for
1630: .Dv IPV6_V6ONLY
1631: socket option for
1632: .Dv AF_INET6
1633: socket.
1634: Please refer to
1635: .Xr ip6 4
1636: for detail.
1637: .It Li icmp6.errppslimit
1638: The variable specifies the maximum number of outgoing ICMPv6 error messages,
1639: per second.
1640: ICMPv6 error messages that exceeded the value are subject to rate limitation
1641: and will not go out from the node.
1642: Negative value disables rate limitation.
1643: .It Li icmp6.mtudisc_hiwat
1644: .It Li icmp6.mtudisc_lowat
1645: The variables define the maximum number of routing table entries,
1646: created due to path MTU discovery
1647: .Pq prevents denial-of-service attacks with ICMPv6 too big messages .
1648: When IPv6 path MTU discovery happens, we keep path MTU information into
1649: the routing table.
1650: If the number of routing table entries exceed the value,
1651: the kernel will not attempt to keep the path MTU information.
1652: .Li icmp6.mtudisc_hiwat
1653: is used when we have verified ICMPv6 too big messages.
1654: .Li icmp6.mtudisc_lowat
1655: is used when we have unverified ICMPv6 too big messages.
1656: Verification is performed by using address/port pairs kept in connected pcbs.
1657: Negative value disables the upper limit.
1658: .It Li icmp6.nd6_debug
1659: If set to non-zero, kernel IPv6 neighbor discovery code will generate
1660: debugging messages.
1661: The debug outputs are useful to diagnose IPv6 interoperability issues.
1662: The flag must be set to 0 for normal operation.
1663: .It Li icmp6.nd6_delay
1664: The variable specifies
1665: .Dv DELAY_FIRST_PROBE_TIME
1666: timing constant in IPv6 neighbor discovery specification
1667: .Pq RFC 2461 ,
1668: in seconds.
1669: .It Li icmp6.nd6_maxnudhint
1670: IPv6 neighbor discovery permits upper layer protocols to supply reachability
1671: hints, to avoid unnecessary neighbor discovery exchanges.
1672: The variable defines the number of consecutive hints the neighbor discovery
1673: layer will take.
1674: For example, by setting the variable to 3, neighbor discovery layer
1675: will take 3 consecutive hints in maximum.
1676: After receiving 3 hints, neighbor discovery layer will perform
1677: normal neighbor discovery process.
1678: .It Li icmp6.nd6_mmaxtries
1679: The variable specifies
1680: .Dv MAX_MULTICAST_SOLICIT
1681: constant in IPv6 neighbor discovery specification
1682: .Pq RFC 2461 .
1683: .It Li icmp6.nd6_prune
1684: The variable specifies interval between IPv6 neighbor cache babysitting,
1685: in seconds.
1686: .It Li icmp6.nd6_umaxtries
1687: The variable specifies
1688: .Dv MAX_UNICAST_SOLICIT
1689: constant in IPv6 neighbor discovery specification
1690: .Pq RFC 2461 .
1691: .It Li icmp6.nd6_useloopback
1692: If set to non-zero, kernel IPv6 stack will use loopback interface for
1693: local traffic.
1694: .It Li icmp6.nodeinfo
1695: The variable enables responses to ICMPv6 node information queries.
1696: If you set the variable to 0, responses will not be generated for
1697: ICMPv6 node information queries.
1698: Since node information queries can have a security impact, it is
1699: possible to fine tune which responses should be answered.
1700: Two separate bits can be set.
1701: .Bl -tag -width "12345"
1702: .It 1
1703: Respond to ICMPv6 FQDN queries, e.g.
1704: .Li ping6 -w .
1705: .It 2
1706: Respond to ICMPv6 node addresses queries, e.g.
1707: .Li ping6 -a .
1708: .El
1709: .It Li icmp6.rediraccept
1710: If set to non-zero, the host will accept ICMPv6 redirect packets.
1711: Note that IPv6 routers will never accept ICMPv6 redirect packets,
1712: and the variable is meaningful on IPv6 hosts
1713: .Pq non-router
1714: only.
1715: .It Li icmp6.redirtimeout
1716: The variable specifies lifetime of routing entries generated by incoming
1717: ICMPv6 redirect.
1718: .It Li udp6.do_loopback_cksum
1719: Perform UDP checksum on loopback.
1720: .It Li udp6.recvspace
1721: Default UDP receive buffer size.
1722: .It Li udp6.sendspace
1723: Default UDP send buffer size.
1724: .El
1725: .Pp
1726: We reuse net.*.tcp for
1727: .Tn TCP
1728: over
1729: .Tn IPv6 ,
1730: and therefore we do not have variables net.*.tcp6.
1731: Variables net.inet6.udp6 have identical meaning to net.inet.udp.
1732: Please refer to
1733: .Li PF_INET
1734: section above.
1735: For variables net.*.ipsec6, please refer to
1736: .Xr ipsec 4 .
1737: .It Li net.key ( PF_KEY )
1738: Get or set various global information about the IPsec key management.
1739: The third level name is the variable name.
1740: The currently defined variable and names are:
1.21 joerg 1741: .Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent
1.1 pavel 1742: .It Sy Variable name Type Changeable
1743: .It debug integer yes
1744: .It spi_try integer yes
1745: .It spi_min_value integer yes
1746: .It spi_max_value integer yes
1747: .It larval_lifetime integer yes
1748: .It blockacq_count integer yes
1749: .It blockacq_lifetime integer yes
1750: .It esp_keymin integer yes
1751: .It esp_auth integer yes
1752: .It ah_keymin integer yes
1753: .El
1.21 joerg 1754: .Pp
1.1 pavel 1755: The variables are as follows:
1756: .Bl -tag -width "123456"
1757: .It Li debug
1758: Turn on debugging message from within the kernel.
1759: The value is a bitmap, as defined in
1760: .Pa /usr/include/netkey/key_debug.h .
1761: .It Li spi_try
1762: The number of times the kernel will try to obtain an unique SPI
1763: when it generates it from random number generator.
1764: .It Li spi_min_value
1765: Minimum SPI value when generating it within the kernel.
1766: .It Li spi_max_value
1767: Maximum SPI value when generating it within the kernel.
1768: .It Li larval_lifetime
1769: Lifetime for LARVAL SAD entries, in seconds.
1770: .It Li blockacq_count
1771: Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
1772: It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
1773: key management daemon.
1774: .It Li blockacq_lifetime
1775: Lifetime of ACQUIRE PF_KEY message.
1776: .It Li esp_keymin
1777: Minimum ESP key length, in bits.
1778: The value is used when the kernel creates proposal payload
1779: on ACQUIRE PF_KEY message.
1780: .It Li esp_auth
1781: Whether ESP authentication should be used or not.
1782: Non-zero value indicates that ESP authentication should be used.
1783: The value is used when the kernel creates proposal payload
1784: on ACQUIRE PF_KEY message.
1785: .It Li ah_keymin
1786: Minimum AH key length, in bits,
1787: The value is used when the kernel creates proposal payload
1788: on ACQUIRE PF_KEY message.
1789: .El
1790: .El
1.50 jruoho 1791: .Ss The proc.* subtree
1.1 pavel 1792: The string and integer information available for the
1793: .Li proc
1794: level is detailed below.
1795: The changeable column shows whether a process with appropriate
1796: privilege may change the value.
1797: These values are per-process,
1798: and as such may change from one process to another.
1799: When a process is created,
1800: the default values are inherited from its parent.
1801: When a set-user-ID or set-group-ID binary is executed, the
1802: value of PROC_PID_CORENAME is reset to the system default value.
1803: The second level name is either the magic value PROC_CURPROC, which
1804: points to the current process, or the PID of the target process.
1.21 joerg 1805: .Bl -column "proc.pid.corename" "string" "not applicable" -offset indent
1.1 pavel 1806: .It Sy Third level name Type Changeable
1807: .It proc.pid.corename string yes
1808: .It proc.pid.rlimit node not applicable
1809: .It proc.pid.stopfork int yes
1810: .It proc.pid.stopexec int yes
1811: .It proc.pid.stopexit int yes
1812: .El
1813: .Bl -tag -width "123456"
1814: .It Li proc.pid.corename ( PROC_PID_CORENAME )
1815: The template used for the core dump file name (see
1816: .Xr core 5
1817: for details).
1818: The base name must either be
1819: .Nm core
1820: or end with the suffix ``.core'' (the super-user may set arbitrary names).
1821: By default it points to KERN_DEFCORENAME.
1822: .It Li proc.pid.rlimit ( PROC_PID_LIMIT )
1823: Return resources limits, as defined for the
1824: .Xr getrlimit 2
1825: and
1826: .Xr setrlimit 2
1827: system calls.
1828: The fourth level name is one of:
1829: .Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA
1830: .It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU )
1831: The maximum amount of CPU time (in seconds) to be used by each process.
1832: .It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE )
1833: The largest size (in bytes) file that may be created.
1834: .It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA )
1835: The maximum size (in bytes) of the data segment for a process;
1836: this defines how far a program may extend its break with the
1837: .Xr sbrk 2
1838: system call.
1839: .It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK )
1840: The maximum size (in bytes) of the stack segment for a process;
1841: this defines how far a program's stack segment may be extended.
1842: Stack extension is performed automatically by the system.
1843: .It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE )
1844: The largest size (in bytes)
1845: .Pa core
1846: file that may be created.
1847: .It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS )
1848: The maximum size (in bytes) to which a process's resident set size may
1849: grow.
1850: This imposes a limit on the amount of physical memory to be given to
1851: a process; if memory is tight, the system will prefer to take memory
1852: from processes that are exceeding their declared resident set size.
1853: .It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK )
1854: The maximum size (in bytes) which a process may lock into memory
1855: using the
1856: .Xr mlock 2
1857: function.
1858: .It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC )
1859: The maximum number of simultaneous processes for this user id.
1860: .It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE )
1861: The maximum number of open files for this process.
1.22 snj 1862: .It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE )
1863: The maximum size (in bytes) of the socket buffers
1864: set by the
1865: .Xr setsockopt 2
1866: .Dv SO_RCVBUF
1867: and
1868: .Dv SO_SNDBUF
1869: options.
1.1 pavel 1870: .El
1871: .Pp
1872: The fifth level name is one of
1873: .Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or
1874: .Li hard ( PROC_PID_LIMIT_TYPE_HARD ) ,
1875: to select respectively the soft or hard limit.
1876: Both are of type integer.
1877: .It Li proc.pid.stopfork ( PROC_PID_STOPFORK )
1878: If non zero, the process' children will be stopped after
1879: .Xr fork 2
1880: calls.
1881: The children is created in the SSTOP state and is never scheduled
1882: for running before being stopped.
1883: This feature helps attaching a process with a debugger such as
1884: .Xr gdb 1
1885: before it had the opportunity to actually do anything.
1886: .Pp
1887: This value is inherited by the process's children, and it also
1888: apply to emulation specific system calls that fork a new process, such as
1889: .Fn sproc
1890: or
1891: .Fn clone .
1892: .It Li proc.pid.stopexec ( PROC_PID_STOPEXEC )
1893: If non zero, the process will be stopped on next
1894: .Xr exec 3
1895: call.
1896: The process created by
1897: .Xr exec 3
1898: is created in the SSTOP state and is never scheduled for running
1899: before being stopped.
1900: This feature helps attaching a process with a debugger such as
1901: .Xr gdb 1
1902: before it had the opportunity to actually do anything.
1903: .Pp
1904: This value is inherited by the process's children.
1905: .It Li proc.pid.stopexit ( PROC_PID_STOPEXIT )
1906: If non zero, the process will be stopped on when it has cause to exit,
1907: either by way of calling
1908: .Xr exit 3 ,
1909: .Xr _exit 2 ,
1910: or by the receipt of a specific signal.
1911: The process is stopped before any of its resources or vm space is
1912: released allowing examination of the termination state of a process
1913: before it disappears.
1914: This feature can be used to examine the final conditions of the
1915: process's vmspace via
1916: .Xr pmap 1
1917: or its resource settings with
1918: .Xr sysctl 8
1919: before it disappears.
1920: .Pp
1921: This value is also inherited by the process's children.
1922: .El
1.50 jruoho 1923: .Ss The user.* subtree ( CTL_USER )
1.1 pavel 1924: The string and integer information available for the
1925: .Li user
1926: level is detailed below.
1927: The changeable column shows whether a process with appropriate
1928: privilege may change the value.
1.21 joerg 1929: .Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent
1.1 pavel 1930: .It Sy Second level name Type Changeable
1931: .It user.atexit_max integer no
1932: .It user.bc_base_max integer no
1933: .It user.bc_dim_max integer no
1934: .It user.bc_scale_max integer no
1935: .It user.bc_string_max integer no
1936: .It user.coll_weights_max integer no
1937: .It user.cs_path string no
1938: .It user.expr_nest_max integer no
1939: .It user.line_max integer no
1940: .It user.posix2_c_bind integer no
1941: .It user.posix2_c_dev integer no
1942: .It user.posix2_char_term integer no
1943: .It user.posix2_fort_dev integer no
1944: .It user.posix2_fort_run integer no
1945: .It user.posix2_localedef integer no
1946: .It user.posix2_sw_dev integer no
1947: .It user.posix2_upe integer no
1948: .It user.posix2_version integer no
1949: .It user.re_dup_max integer no
1950: .It user.stream_max integer no
1951: .It user.stream_max integer no
1952: .It user.tzname_max integer no
1953: .El
1954: .Bl -tag -width "123456"
1955: .It Li user.atexit_max ( USER_ATEXIT_MAX )
1956: The maximum number of functions that may be registered with
1957: .Xr atexit 3 .
1958: .It Li user.bc_base_max ( USER_BC_BASE_MAX )
1959: The maximum ibase/obase values in the
1960: .Xr bc 1
1961: utility.
1962: .It Li user.bc_dim_max ( USER_BC_DIM_MAX )
1963: The maximum array size in the
1964: .Xr bc 1
1965: utility.
1966: .It Li user.bc_scale_max ( USER_BC_SCALE_MAX )
1967: The maximum scale value in the
1968: .Xr bc 1
1969: utility.
1970: .It Li user.bc_string_max ( USER_BC_STRING_MAX )
1971: The maximum string length in the
1972: .Xr bc 1
1973: utility.
1974: .It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX )
1975: The maximum number of weights that can be assigned to any entry of
1976: the LC_COLLATE order keyword in the locale definition file.
1977: .It Li user.cs_path ( USER_CS_PATH )
1978: Return a value for the
1979: .Ev PATH
1980: environment variable that finds all the standard utilities.
1981: .It Li user.expr_nest_max ( USER_EXPR_NEST_MAX )
1982: The maximum number of expressions that can be nested within
1983: parenthesis by the
1984: .Xr expr 1
1985: utility.
1986: .It Li user.line_max ( USER_LINE_MAX )
1987: The maximum length in bytes of a text-processing utility's input
1988: line.
1989: .It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM )
1990: Return 1 if the system supports at least one terminal type capable of
1991: all operations described in POSIX 1003.2, otherwise 0.
1992: .It Li user.posix2_c_bind ( USER_POSIX2_C_BIND )
1993: Return 1 if the system's C-language development facilities support the
1994: C-Language Bindings Option, otherwise 0.
1995: .It Li user.posix2_c_dev ( USER_POSIX2_C_DEV )
1996: Return 1 if the system supports the C-Language Development Utilities Option,
1997: otherwise 0.
1998: .It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV )
1999: Return 1 if the system supports the FORTRAN Development Utilities Option,
2000: otherwise 0.
2001: .It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN )
2002: Return 1 if the system supports the FORTRAN Runtime Utilities Option,
2003: otherwise 0.
2004: .It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF )
2005: Return 1 if the system supports the creation of locales, otherwise 0.
2006: .It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV )
2007: Return 1 if the system supports the Software Development Utilities Option,
2008: otherwise 0.
2009: .It Li user.posix2_upe ( USER_POSIX2_UPE )
2010: Return 1 if the system supports the User Portability Utilities Option,
2011: otherwise 0.
2012: .It Li user.posix2_version ( USER_POSIX2_VERSION )
2013: The version of POSIX 1003.2 with which the system attempts to comply.
2014: .It Li user.re_dup_max ( USER_RE_DUP_MAX )
2015: The maximum number of repeated occurrences of a regular expression
2016: permitted when using interval notation.
2017: .It Li user.stream_max ( USER_STREAM_MAX )
2018: The minimum maximum number of streams that a process may have open
2019: at any one time.
2020: .It Li user.tzname_max ( USER_TZNAME_MAX )
2021: The minimum maximum number of types supported for the name of a
2022: timezone.
2023: .El
1.50 jruoho 2024: .Ss The vm.* subtree ( CTL_VM )
1.1 pavel 2025: The string and integer information available for the
2026: .Li vm
2027: level is detailed below.
2028: The changeable column shows whether a process with appropriate
2029: privilege may change the value.
1.21 joerg 2030: .Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent
1.1 pavel 2031: .It Sy Second level name Type Changeable
2032: .It vm.anonmax int yes
2033: .It vm.anonmin int yes
2034: .It vm.bufcache int yes
2035: .It vm.bufmem int no
2036: .It vm.bufmem_hiwater int yes
2037: .It vm.bufmem_lowater int yes
2038: .It vm.execmax int yes
2039: .It vm.execmin int yes
2040: .It vm.filemax int yes
2041: .It vm.filemin int yes
2042: .It vm.loadavg struct loadavg no
2043: .It vm.maxslp int no
2044: .It vm.nkmempages int no
2045: .It vm.uspace int no
2046: .It vm.uvmexp struct uvmexp no
2047: .It vm.uvmexp2 struct uvmexp_sysctl no
2048: .It vm.vmmeter struct vmtotal no
2049: .El
2050: .Pp
2051: .Bl -tag -width "123456"
2052: .It Li vm.anonmax ( VM_ANONMAX )
2053: The percentage of physical memory which will be reclaimed
2054: from other types of memory usage to store anonymous application data.
2055: .It Li vm.anonmin ( VM_ANONMIN )
2056: The percentage of physical memory which will be always be available for
2057: anonymous application data.
2058: .It Li vm.bufcache ( VM_BUFCACHE )
2059: The percentage of physical memory which will be available
2060: for the buffer cache.
2061: .It Li vm.bufmem ( VM_BUFMEM )
2062: The amount of kernel memory that is being used by the buffer cache.
2063: .It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER )
2064: The minimum amount of kernel memory to reserve for the
2065: buffer cache.
2066: .It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER )
2067: The maximum amount of kernel memory to be used for the
2068: buffer cache.
2069: .It Li vm.execmax ( VM_EXECMAX )
2070: The percentage of physical memory which will be reclaimed
2071: from other types of memory usage to store cached executable data.
2072: .It Li vm.execmin ( VM_EXECMIN )
2073: The percentage of physical memory which will be always be available for
2074: cached executable data.
2075: .It Li vm.filemax ( VM_FILEMAX )
2076: The percentage of physical memory which will be reclaimed
2077: from other types of memory usage to store cached file data.
2078: .It Li vm.filemin ( VM_FILEMIN )
2079: The percentage of physical memory which will be always be available for
2080: cached file data.
2081: .It Li vm.loadavg ( VM_LOADAVG )
2082: Return the load average history.
2083: The returned data consists of a
2084: .Va struct loadavg .
2085: .It Li vm.maxslp ( VM_MAXSLP )
2086: The value of the maxslp kernel global variable.
2087: .It Li vm.vmmeter ( VM_METER )
2088: Return system wide virtual memory statistics.
2089: The returned data consists of a
2090: .Va struct vmtotal .
1.31 drochner 2091: .It vm.user_va0_disable
2092: A flag which controls whether user processes can map virtual address 0.
1.1 pavel 2093: .It Li vm.uspace ( VM_USPACE )
2094: The number of bytes allocated for each kernel stack.
2095: .It Li vm.uvmexp ( VM_UVMEXP )
2096: Return system wide virtual memory statistics.
2097: The returned data consists of a
2098: .Va struct uvmexp .
2099: .It Li vm.uvmexp2 ( VM_UVMEXP2 )
2100: Return system wide virtual memory statistics.
2101: The returned data consists of a
2102: .Va struct uvmexp_sysctl .
2103: .\" XXX vm.idlezero
2104: .El
1.50 jruoho 2105: .Ss The ddb.* subtree ( CTL_DDB )
1.34 jruoho 2106: The information available for the
1.1 pavel 2107: .Li ddb
2108: level is detailed below.
2109: The changeable column shows whether a process with appropriate
2110: privilege may change the value.
2111: .\" XXX sort
1.21 joerg 2112: .Bl -column "Second level name" "integer" "Changeable" -offset indent
1.1 pavel 2113: .It Sy Second level name Type Changeable
2114: .It ddb.radix integer yes
2115: .It ddb.maxoff integer yes
1.34 jruoho 2116: .It ddb.maxwidth integer yes
1.1 pavel 2117: .It ddb.lines integer yes
2118: .It ddb.tabstops integer yes
2119: .It ddb.onpanic integer yes
2120: .It ddb.fromconsole integer yes
1.34 jruoho 2121: .It ddb.tee_msgbuf integer yes
2122: .It ddb.commandonenter string yes
1.1 pavel 2123: .El
2124: .Pp
2125: .Bl -tag -width "123456"
1.35 jruoho 2126: .It Li ddb.radix ( DDBCTL_RADIX )
1.1 pavel 2127: The input and output radix.
1.35 jruoho 2128: .It Li ddb.maxoff ( DDBCTL_MAXOFF )
1.1 pavel 2129: The maximum symbol offset.
1.34 jruoho 2130: .It Li ddb.maxwidth ( DDBCTL_MAXWIDTH )
2131: The maximum output line width.
1.35 jruoho 2132: .It Li ddb.lines ( DDBCTL_LINES )
1.1 pavel 2133: Number of display lines.
1.35 jruoho 2134: .It Li ddb.tabstops ( DDBCTL_TABSTOPS )
1.1 pavel 2135: Tab width.
1.35 jruoho 2136: .It Li ddb.onpanic ( DDBCTL_ONPANIC )
1.18 ad 2137: If non-zero, DDB will be entered if the kernel panics.
1.35 jruoho 2138: .It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE )
1.1 pavel 2139: If not zero, DDB may be entered by sending a break on a serial
2140: console or by a special key sequence on a graphics console.
1.34 jruoho 2141: .It Li ddb.tee_msgbuf
2142: If not zero, DDB will output also to the kernel message buffer.
2143: .It Li ddb.commandonenter
2144: If not empty, a command to be executed on each enter to the
2145: .Tn DDB .
2146: .\"
2147: .\" XXX: (a) ddb.commandonenter is missing in ddb(4);
2148: .\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter.
1.1 pavel 2149: .El
2150: .Pp
1.34 jruoho 2151: Some of these
2152: .Tn MIB
2153: nodes are also available as variables from within the debugger.
1.1 pavel 2154: See
2155: .Xr ddb 4
2156: for more details.
1.50 jruoho 2157: .Ss The security.* subtree ( CTL_SECURITY )
1.1 pavel 2158: The
2159: .Li security
2160: level contains various security-related settings for
1.2 wiz 2161: the system.
1.43 jruoho 2162: The available second level names are:
2163: .Bl -column "Second level name" "integer" "Changeable" -offset indent
2164: .It Sy Second level name Type Changeable
2165: .It Li security.curtain integer yes
2166: .It Li security.models node not applicable
2167: .It Li security.pax node not applicable
2168: .El
2169: .Pp
1.2 wiz 2170: Available settings are detailed below.
1.1 pavel 2171: .Pp
2172: .Bl -tag -width "123456"
2173: .It Li security.curtain
1.43 jruoho 2174: If non-zero, will filter return objects according to the user
2175: .Tn ID
1.1 pavel 2176: requesting information about them, preventing from users any
1.43 jruoho 2177: access to objects they do not own.
1.1 pavel 2178: .Pp
2179: At the moment, it affects
2180: .Xr ps 1 ,
2181: .Xr netstat 1
2182: (for
2183: .Dv PF_INET ,
2184: .Dv PF_INET6 ,
2185: and
2186: .Dv PF_UNIX
2187: PCBs), and
2188: .Xr w 1 .
1.4 elad 2189: .It Li security.models
2190: .Nx
2191: supports pluggable security models.
1.17 ad 2192: Every security model used, whether if loaded as a module or built with the system,
1.4 elad 2193: is required to add an entry to this node with at least one element,
2194: .Dq name ,
2195: indicating the name of the security model.
2196: .Pp
2197: In addition to the name, any settings and other information private to the
2198: security model will be available under this node.
2199: See
2200: .Xr secmodel 9
2201: for more information.
1.1 pavel 2202: .It Li security.pax
2203: Settings for PaX -- exploit mitigation features.
1.4 elad 2204: For more information on any of the PaX features, please see
2205: .Xr paxctl 8
2206: and
2207: .Xr security 8 .
1.43 jruoho 2208: The available third and fourth level names are:
2209: .Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \
2210: -offset 2n
2211: .It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable
2212: .It Li security.pax.aslr.enabled integer yes
2213: .\".It Li security.pax.aslr.exec_len integer yes
2214: .It Li security.pax.aslr.global integer yes
2215: .\".It Li security.pax.aslr.mmap_len integer yes
2216: .\".It Li security.pax.aslr.stack_len integer yes
2217: .It Li security.pax.mprotect.enabled integer yes
2218: .It Li security.pax.mprotect.global integer yes
2219: .It Li security.pax.segvguard.enabled integer yes
2220: .It Li security.pax.segvguard.expiry_timeout integer yes
2221: .It Li security.pax.segvguard.global integer yes
2222: .It Li security.pax.segvguard.max_crashes integer yes
2223: .It Li security.pax.segvguard.suspend_timeout integer yes
2224: .El
1.1 pavel 2225: .Pp
2226: .Bl -tag -width "123456"
1.43 jruoho 2227: .It Li security.pax.aslr.enabled
1.14 elad 2228: Enable PaX ASLR (Address Space Layout Randomization).
2229: .Pp
2230: The value of this
2231: knob must be non-zero for PaX ASLR to be enabled, even if a program is set to
2232: explicit enable.
1.43 jruoho 2233: .\".It Li security.pax.aslr.exec_len
2234: .\" XXX: Undocumented.
1.14 elad 2235: .It Li security.pax.aslr.global
2236: Specifies the default global policy for programs without an
2237: explicit enable/disable flag.
2238: .Pp
2239: When non-zero, all programs will get PaX ASLR, except those exempted with
2240: .Xr paxctl 8 .
2241: Otherwise, all programs will not get PaX ASLR, except those specifically
2242: marked as such with
2243: .Xr paxctl 8 .
1.43 jruoho 2244: .\".It Li security.pax.aslr.mmap_len
2245: .\" XXX: Undocumented.
2246: .\" .It Li security.pax.aslr.stack_len
2247: .\" XXX: Undocumented.
2248: .It Li security.pax.mprotect.enabled
1.1 pavel 2249: Enable PaX MPROTECT restrictions.
2250: .Pp
2251: These are
2252: .Xr mprotect 2
1.2 wiz 2253: restrictions to better enforce a W^X policy.
2254: The value of this
1.1 pavel 2255: knob must be non-zero for PaX MPROTECT to be enabled, even if a
2256: program is set to explicit enable.
2257: .It Li security.pax.mprotect.global
2258: Specifies the default global policy for programs without an
2259: explicit enable/disable flag.
2260: .Pp
2261: When non-zero, all programs will get the PaX MPROTECT restrictions,
2262: except those exempted with
1.4 elad 2263: .Xr paxctl 8 .
1.1 pavel 2264: Otherwise, all programs will not get the PaX MPROTECT restrictions,
2265: except those specifically marked as such with
1.4 elad 2266: .Xr paxctl 8 .
1.43 jruoho 2267: .It Li security.pax.segvguard.enabled
1.1 pavel 2268: Enable PaX Segvguard.
2269: .Pp
2270: PaX Segvguard can detect and prevent certain exploitation attempts, where
2271: an attacker may try for example to brute-force function return addresses
2272: of respawning daemons.
2273: .Pp
2274: .Em Note :
2275: The
2276: .Nx
2277: interface and implementation of the Segvguard is still experimental, and may
2278: change in future releases.
1.43 jruoho 2279: .It Li security.pax.segvguard.expiry_timeout
2280: If the max number was not reached within this timeout (in seconds), the entry
2281: will expire.
1.1 pavel 2282: .It Li security.pax.segvguard.global
2283: Specifies the default global policy for programs without an
2284: explicit enable/disable flag.
2285: .Pp
2286: When non-zero, all programs will get the PaX Segvguard,
2287: except those exempted with
1.4 elad 2288: .Xr paxctl 8 .
1.2 wiz 2289: Otherwise, no program will get the PaX Segvguard restrictions,
1.1 pavel 2290: except those specifically marked as such with
1.4 elad 2291: .Xr paxctl 8 .
1.43 jruoho 2292: .It Li security.pax.segvguard.max_crashes
2293: The maximum number of segfaults a program can receive before suspension.
1.1 pavel 2294: .It Li security.pax.segvguard.suspend_timeout
2295: Number of seconds to suspend a user from running a faulting program when the
2296: limit was exceeded.
2297: .El
2298: .El
1.50 jruoho 2299: .Ss The vendor.* subtree ( CTL_VENDOR )
1.1 pavel 2300: The
2301: .Li vendor
2302: toplevel name is reserved to be used by vendors who wish to
2303: have their own private MIB tree.
2304: Intended use is to store values under
2305: .Dq vendor.\*[Lt]yourname\*[Gt].* .
2306: .Sh SEE ALSO
2307: .Xr sysctl 3 ,
2308: .Xr ipsec 4 ,
2309: .Xr tcp 4 ,
2310: .Xr security 8 ,
2311: .Xr sysctl 8
2312: .Sh HISTORY
2313: The
2314: .Nm
2315: variables first appeared in
2316: .Bx 4.4 .
CVSweb <webmaster@jp.NetBSD.org>